Data
Remove sensitive data from client-side applications
Summary Access codes, tokens or credentials should be removed from client-side applications. If its needed, the associated service should support Access Control Lists based on the expected origin. Description Storing sensitive information on the ...
Avoid exposing technical information
Summary Technical information (product name, version, configuration) of exposed services should not be accessible. Description Attackers usually perform reconnaissance to gather information about the target system. Exposing detailed technical ...
Keep client-side storage without sensitive data
Summary Personal, sensitive and session data must not be stored in the client-side storage (localStorage, sessionStorage, cookies without security attributes, mobile device unencrypted storage, etc.). Description Data placed in the localStorage ...
Avoid deserializing untrusted data
Summary The system must not deserialize untrusted data before applying the appropriate integrity checks. Description Serialization is the process of transforming an object into a stream of bytes to store or transmit it. This allows saving its state, ...
Prioritize token usage
Summary All systems related to credit cards must use tokens instead of storing card information. Description When processing transactions, systems can use tokens instead of the actual credit card information. This allows secure communication between ...
Notify configuration changes
Summary The system must notify the users whenever their authentication details or other security settings are changed. Description Most systems allow their users to modify relevant information, such as access credentials and contact data. Users ...
Mask sensitive data
Summary Business sensitive data (passwords, credit card numbers, CVV, etc.) must be masked. Description Applications usually handle personal information, such as credit card numbers, CVV, personal identifications, social security numbers, etc. The ...
Encrypt sensitive information
Summary All stored sensitive information must be encrypted. Description Systems usually stores personal data, i.e., Personally Identifiable Information (PII), medical records, credentials and other types of sensitive information. All of these must be ...
Obfuscate application data
Summary The system must obfuscate the data if the application is not in focus. Description Obfuscate application data is needed to enhance security by making it more difficult for unauthorized users to understand or manipulate sensitive information ...
Delete sensitive data securely
Summary The system must support the secure removal of sensitive data, guaranteeing that it cannot be recovered. Description Systems often store and delete sensitive information protected by government regulations. These regulations usually demand ...
Transmit data using secure protocols
Summary The transmission of sensitive information and the execution of sensitive functions must be performed through secure protocols. Description A system can send information through a non-encrypted channel using insecure protocols. The use of ...
Use mock data
Summary Environments other than production should use mock or automatically generated data. Description Applications usually handle personal and other types of sensitive information. This information should not be used to perform tests or during ...
Use digital signatures
Summary The system must use digital signatures to ensure the authenticity of sensitive information. Description A digital signature is a cryptographic mechanism that helps identify the sender of a message, and guarantee its authenticity and ...
Avoid caching and temporary files
Summary The system must not store sensitive information in temporary files or cache memory. Description Applications sometimes reside in or get consumed by environments in which caching is possible. Caching helps performance or makes certain actions ...
Restrict system objects
Summary The system must restrict access to system objects that have sensitive content. It should only allow access to authorized users. Description Applications usually handle personal and confidential information, such as personal identifications, ...